Office Exploits Reveal New Direction In Attack Strategies - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

02:38 PM

Office Exploits Reveal New Direction In Attack Strategies

Hackers are targeting people rather than machines, a Symantec security researcher says. They're not looking for hosts, but for usernames and e-mail addresses.

The recent run of publicized vulnerabilities in Microsoft Office and subsequent threats from malicious documents demonstrate that attackers are automating their hunt for exploits and turning toward targeting people, not systems, a security researcher said Monday.

The three months of Office vulnerabilities -- which started in May with Word, then spread in June and July to Excel and PowerPoint, respectively -- demonstrate a shift in tactics, said Alfred Huger, senior director of engineering with Symantec's security response group.

"They're targeting people rather than machines," he said. "They're not looking for hosts, but for usernames and e-mail addresses.

"It's difficult to get a specific person to a Web site, so when attackers target a company and aim their attacks, which is what they're doing, they're turning to client side applications like the ones in Office."

Huger laid out a scenario for a targeted attack using an Office exploit. "An attacker could find the name and e-mail address of a low-level employee in finance, from a press release, maybe, then spoof the CFO's [e-mail] address and send that employee an Excel spreadsheet," Huger said. "He'd be a lot more likely to open that spreadsheet if he thought it came from the CFO."

The noise about Office exploits has also raised awareness of so-called "fuzzer" tools, automated vulnerability finders that have been used by security researchers and hackers for two years and more, but are only now coming up on the computing public's radar.

"A fuzzer sends data to any input in a program, and pounds all kinds of bizarre values to see if it [the application] chokes," said Huger. "They're widely used to find buffer overflow vulnerabilities and the like. They're also a very fast and very effective way to locate flaws.

"Fuzzers are what most people use now to look for vulnerabilities."

Huger credited HD Moore's recent findings as the reason why fuzzers have garnered press of late, even though the tools have been in use for some time. Moore, the lead developer for the Metasploit Framework open-source exploit project, began a browser-bug-a-day blog earlier this month, and noted he was using a number of fuzzers to dig up the flaws.

"HD Moore's at the top of the food chain," said Huger, "but if he's finding lots of vulnerabilities with fuzzers, it is almost a certainty that others have done the same thing."

Both the Excel and PowerPoint attacks are thought to have Chinese origins, and it's possible they used fuzzers to dig up the exploited vulnerabilities. "I wouldn't be surprised," said Huger. However, he noted that it would mean creating new fuzzers or extensively modifying existing ones to hammer on Excel and PowerPoint.

"The threat landscape isn't static," he concluded. "Vendors need to react to this [use of fuzzers] by using them themselves to look for flaws in their products."

Microsoft is one vendor that has devoted time and money to fuzzers, Huger said. The Redmond, Wash.-based developer has said its Windows Vista teams have extensively "fuzz tested" the new operating system.

"I think that will give Vista a better foundation," said Huger. But it won't mean an end to flaws.

"[Hackers] will uncover bugs in Vista," he said. "Because it's new [code] they'll be in there."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 2
Comment  | 
Print  | 
More Insights
The State of IT & Cybersecurity Operations 2020
The State of IT & Cybersecurity Operations 2020
Download this report from InformationWeek, in partnership with Dark Reading, to learn more about how today's IT operations teams work with cybersecurity operations, what technologies they are using, and how they communicate and share responsibility--or create risk by failing to do so. Get it now!
10 Ways to Prepare Your IT Organization for the Next Crisis
Cynthia Harvey, Freelance Journalist, InformationWeek,  5/20/2020
IT Spending Forecast: Unfortunately, It's Going to Hurt
Jessica Davis, Senior Editor, Enterprise Apps,  5/15/2020
Helping Developers and Enterprises Answer the Skills Dilemma
Joao-Pierre S. Ruth, Senior Writer,  5/19/2020
Register for InformationWeek Newsletters
Current Issue
Key to Cloud Success: The Right Management
This IT Trend highlights some of the steps IT teams can take to keep their cloud environments running in a safe, efficient manner.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll